Add experimental support for IFBs

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8267 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -2,6 +2,8 @@ Changes in 4.1.6
 
 1)  Deprecate IMPLICIT_CONTINUE=Yes
 
+2)  Add REDIRECTED INTERFACES column to tcdevices.
+
 Changes in 4.1.5
 
 1)  More ruleset optimization.

Shorewall-common/releasenotes.txt

@@ -65,12 +65,32 @@ Migration Issues.
 5)  The value of IMPLICIT_CONTINUE in shorewall.conf (and samples) has
     been changed from Yes to No.
 
-Problems corrected in 4.1.5.
+Problems corrected in 4.1.6.
 
 None.
 
 New Features in 4.1.6.
 
+1)  The default value for the IMPLICIT_CONTINUE option has been changed
+    to 'No'.
+
+2)  A REDIRECTED INTERFACES option has been added to the tcdevices file
+    to support using an IFB (Intermediate Functional Block) device.
+
+    IFBs can be used to shape incoming traffic by redirecting that
+    traffic through the IFB.
+
+    To use this feature:
+
+       a) Specify the name of your IFB in the INTERFACE column.
+       b) List the redirected device names (comma-separated) in the
+          REDIRECTED INTERFACES column.
+
+    Packets that are input from the redirected interface(s) will appear
+    as output packets on the IFB.
+
+    This support should be considered EXPERIMENTAL.
+
 New Features in Shorewall 4.1.
 
 1)  Shorewall 4.1 contains support for multiple Internet providers

Shorewall-common/tcdevices

@@ -6,5 +6,6 @@
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
 ###############################################################################
-#INTERFACE	IN-BANDWITH	OUT-BANDWIDTH		OPTIONS
+#INTERFACE	IN-BANDWITH	OUT-BANDWIDTH	OPTIONS		REDIRECTED
+#								INTERFACES
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall-perl/Shorewall/Tc.pm

@@ -309,8 +309,8 @@ sub calculate_quantum( $$ ) {
     int( ( $rate * 125 ) / $r2q );
 }
 
-sub validate_tc_device( $$$$ ) {
+sub validate_tc_device( $$$$$ ) {
-    my ( $device, $inband, $outband , $options ) = @_;
+    my ( $device, $inband, $outband , $options , $redirected ) = @_;
 
     fatal_error "Duplicate device ($device)"    if $tcdevices{$device};
     fatal_error "Invalid device name ($device)" if $device =~ /[:+]/;
@@ -327,9 +327,18 @@ sub validate_tc_device( $$$$ ) {
 	}
     }
 
+    my @redirected;
+
+    @redirected = split_list( $redirected , 'device' ) if defined $redirected;
+
+    for my $rdevice ( @redirected ) {
+	fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
+    }
+
     $tcdevices{$device} = { in_bandwidth  => rate_to_kbit( $inband ) . 'kbit' ,
 			    out_bandwidth => rate_to_kbit( $outband ) . 'kbit' ,
-			    classify      => $classify };
+			    classify      => $classify , 
+			    redirected    => \@redirected };
 
     push @tcdevices, $device;
 
@@ -415,10 +424,10 @@ sub setup_traffic_shaping() {
 
 	while ( read_a_line ) {
 
-	    my ( $device, $inband, $outband, $options ) = split_line 3, 4, 'tcdevices';
+	    my ( $device, $inband, $outband, $options , $redirected ) = split_line 3, 5, 'tcdevices';
 
 	    fatal_error "Invalid tcdevices entry" if $outband eq '-';
-	    validate_tc_device( $device, $inband, $outband , $options );
+	    validate_tc_device( $device, $inband, $outband , $options , $redirected );
 	}
     }
 
@@ -467,6 +476,10 @@ sub setup_traffic_shaping() {
 		   );
 	}
 
+	for my $rdev ( @{$devref->{redirected}} ) {
+	    emit( "run_tc filter add dev $rdev parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev $device" );
+	}
+
 	$devref->{number} = $devnum++;
 
 	save_progress_message_short "   TC Device $device defined.";